I am new to WIF (Windows Identity Foundation). I've been reading about it but i have some doubts.
Is it possible to use WIF to authenticate against directory services other than AD (for example, OID) and for authentication can I connect to databases (SQL and Oracle)?
WIF doesn't actually do the authentication - it's a set of .NET classes which handle the WS-Federation protocol and token management e.g. signing, encrypting.
The authentication is provided by the STS that WIF "binds" to.
In the classic model, WIF binds to ADFS which can only authenticate against AD.
However, by using another STS (e.g. IdentityServer) you can authenticate against SQL Server.
You can roll your own STS which can authenticate against anything you want.
Related
I don't understand the difference between identity server and an identity provider. Are they same?
Can an identity server act as an identity provider for a cross-domain app.
In this world of identity, there are a lot of different terms. Colloquially, they mean the same or very similar things, so your confusion is justifiable. There are nuanced differences though:
Identity Provider (IdP):
A software component that authenticates and issues a token representing a user or other entity.
An organization or business that is responsible for the digital identity of a user or other entity.
Identity Server:
A server software component (in the client/server sense of the word) that authenticates and issues tokens that represent a user or other entity.
OpenID Connect Provider (OP):
An identity server or service that supports the OpenID Connect protocol, and, thus, issues identity tokens to client application (which is referred to as a Relying Party, RP). Commonly called an IdP.
SAML Identity Provider:
An identity server or service that supports the SAML protocol. Commonly called an IdP.
Authorization Server (AS):
A server (in the client/server sense of the word) that issues access tokens according to the OAuth protocol.
Identity Service:
A Web service or platform that authenticates and issues tokens that represent a user or other entity. Analogous to an identity server except that it is provided using a Software as a Service (SaaS) delivery model as opposed to software delivered. This is commonly referred to as Identity as a Service (IDaaS).
I have created a Web API using ASP.NET Core 2.1 and it uses (successfully) JWT as a method of authorising requests.
The API is linked to a SQL Server database.
My users are stored in it using Identity as the base framework.
To authorise access for my API I take the username and password which is checked against the stored (Identity based) user.
Successful login returns an Access Token (with a 30min life).
Upon first logging in, a Refresh Token is generated and stored against the Identity user and sent back from the API.
All of this works well. My next step was to create a separate .NET Core 2.1 MVC site which consumes the API.
My question is:
From the MVC site point of view, how do I secure my controllers and views based on this security set up? I would normally use the [Authorize] attribute as part of Identity.
All I have on the MVC site side at the moment is the Access Token (and Refresh token) for the user in question.
I'm thinking the following solution:
MVC Site has it's own database and authentication for users (using Identity).
The connection (credentials/tokens) to the API is stored separately in the MVC site database and used as a 'global' way on the server-side to execute calls against the API
You should use an OpenID Connect and OAuth 2.0 framework. please check IdentityServer4. It also support asp.net core identity
IdentityServer is an OpenID Connect provider - it implements the
OpenID Connect and OAuth 2.0 protocols.
Different literature uses different terms for the same role - you
probably also find security token service, identity provider,
authorization server, IP-STS and more.
But they are in a nutshell all the same: a piece of software that
issues security tokens to clients.
IdentityServer has a number of jobs and features - including:
protect your resources
authenticate users using a local account store or via an external identity provider
provide session management and single sign-on
manage and authenticate clients
issue identity and access tokens to clients
validate tokens
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
In simple My only requirements are to implement SSO in my application:
Use ADFS 2012 R2 for SSO (OAuth2 protocol).
User will get token using oAUth 2.0 VIA ADFS Server using login prompt for credential or what ever authentication scheme is configured on ADFS form based or windows based.
If same user that is authenticated using oAuth for one application if second application want to use the same user then the login box that ADFS presented using oAUth2.0 should not appear.
Now, please help me how OWIN.SECURITY.OAuth or any other oAuth will help me and what is the best way to implement in MVC web application. Please provide sample applicaiton.
ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2. But you should not be too bummed, given that an OAuth2 authorization grant would not give you SSO anyway - OAuth2 is not a sign on protocol.
If you want to perform web sign on using OAuth-like technology, I recommend you consider OpenID Connect and the ADFS version that comes with Windows Server 2016 (currently in technical preview 4).
We have two existing legacy web applications, one for the intranet using windows authentication within the domain, and one internet application, performing a custom web forms username + password based authentication. Now a new web applications is developed and will be available in the internet to both internet and intranet users, handling both authentication models. Therefore we decided to use WIF. We're going for ASP.NET 4.5 MVC 4 on Windows Server 2012.
The intranet authentication shouldn't be a problem as we can use ADFS 2.0 here.
But we currently have no clue how to solve the username + password authentication. It looks like we need to develop a custom UserNameSecurityTokenHandler to authenticate users which provide username + password information which is verified against our custom membership provider. But I need some assistance with the whole workflow...
Assume that we have a custom login page for internet users; and assume that we managed to route internet users to this login page (in ASP.NET MVC), what's the missing part from here to a valid token? How would the form or the MVC controller action which received the provided username + password proceed to trigger the configured WIF identity provider?
The most elegant solution would be to create another STS for the external users and have ADFS trust this as an identity provider:
External users will be redirected to the IdP STS that would use the usr/pwd database. Internal users will authenticate through ADFS directly (against AD).
In this scenario, ADFS is acting both as an IdP and a Federation Provider.
For this to work you need both ADFS and the IdP (and the app) exposed to the internet. An STS you can use that leverages membership is IdentityServer, which is open source and you can of course customize for your needs.
With this architecture you don't need any special customizations/extensions in the app. You will need to handle "home realm discovery" though. Which is the process of knowing where to authenticate users on (e.g. intranet vs. extranet). Presumably, you might have different URLs, etc.